Although biometric-based methods for verifying a mobile user’s identity when doing online transactions has been talked about for quite a while, recent innovations in online authentication are making it a reality.

At the Mobile World Congress earlier this year, PayPal announced a partnership with Samsung to make the Android-based Galaxy S5 the first mobile handset that allows people to shop and pay in a store or on their mobile device using just a fingerprint for authentication.

The purpose of this article is to show you a few pieces of the technology that’s making fingerprint authentication for payments a reality:

Galaxy S5 authentication technology consists of hardware that uniquely recognizes fingerprint and maps that information to a unique identifier. The identifier is then used to generate cryptographic keys that can be shared with applications to identify the user. Hence the fingerprint never leaves the device, and the cryptographic keys are per application, protecting user’s privacy across apps.

The FIDO Alliance was formed last year to address the lack of interoperability among strong authentication devices and the problems users face in creating and remembering multiple usernames and passwords.

The password-less UAF protocol allows mobile device users to register their devices to the online service by selecting a local authentication mechanism such as swiping a finger, looking at the camera, speaking into the mic, or entering a PIN. The UAF protocol allows the service to select which mechanisms are presented to the user.

Once registered, the user simply repeats the local authentication action whenever they need to authenticate to the service. The user no longer needs to enter their password when authenticating from that device. UAF also allows experiences that combine multiple authentication mechanisms such as fingerprint + PIN.

In the diagram above, Steps 1a and 1b represent the request by the respective application to get an authenticated token (i.e., access token) to call PayPal Services. The Android Account Manager identifies and instantiates the PayPal Authenticator, and forwards the request, as you’ll see in Step 2.

Then the PayPal Authenticator authenticates the user by prompting for email/password, phone/pin, or requesting FIDO Client Step 3 to complete one of the biometric authenticator schemes (fingerprint in this case). For FIDO authentication, there is an authentication challenge request/request in the background (for device and FIDO authenticator validation) that is not shown in the diagram above before the user is asked to swipe his finger.

Another cool feature is that a user’s fingerprint, or any of its characteristics, never leaves the device (or in other words the FIDO Authenticator). The fingerprint is turned into an encryption key stored in a secure place on the phone. What is being exchanged are cryptographic keys and signatures that completely anomalies the physical identities of the user. These keys are exchanged during the FIDO registration process, Steps 2a, 2b, and 2c.

Once the user’s credentials or FIDO authentication request have been successfully obtained, from the FIDO client the PayPal Authenticator connects with PayPal’s authentication & authorization service, Step 4 in the diagram above. An access token is then returned to the PayPal Authenticator, which returns the same access token to the calling Application. The application can then make calls to PayPal APIs with this access token, Step 5 in the diagram above.